Configure security settings Firewall
Digi TransPort WR Routers User Guide 705
Using [inspect-state] with ICMP
You can also use the [inspect-state] option with ICMP codes. To allow using echo request and allow
echo replies, create one rule:
pass out break end on ppp 0 proto icmp icmp-type echo inspect-state
The advantage of using inspect-state, other than just needing one rule, is that it leads to a more
secure firewall. For instance with the inspect-state option, the echo replies are not allowed in all
the time; they are only allowed in once an echo request has been sent out on that interface. The
moment that a valid echo reply comes back (or there is a timeout), echo replies will again be
blocked. Furthermore, the full IP address is checked; the IP source and destination must exactly
match the IP destination and source of the echo request. If you compare this to the rule to allow
echo replies in without using inspect-state, it would not be possible to check the source address at
all and the destination address would match any IP address on our network.
You can use the inspect-state option with the following ICMP packet types:
ICMP type Matching ICMP type
Echo Echo reply
Timest Timestrep
Inforeq Inforep
Maskreq Maskrep
To Next Page
Loading...
